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Abstract. A collaboration network is a graph formed by communica- 
tion channels between parties. Parties communicate over these channels 
to establish secrets, simultaneously enforcing interdependencies between 
the secrets. The paper studies properties of these interdependencies that 
are induced by the topology of the network. In previous work, the au- 
thors developed a complete logical system for one such property, inde- 
pendence, also known in the information flow literature as nondeducibil- 
ity. This work describes a complete and decidable logical system for the 
functional dependence relation between sets of secrets over a collabo- 
ration network. The system extends Armstrong's system of axioms for 
functional dependency in databases. 

1 Introduction 

In this paper, we study properties of interdependencies between pieces of infor- 
mation. We call these pieces secrets to emphasize the fact that they might be 
unknown to some parties. Below, we first describe two relations for expressing in- 
terdependencies between secrets. Next, we discuss these relations in the context 
of collaboration networks which specify the available communication channels 
for the parties establishing the secrets. 

1.1 Relations on Secrets 

One of the simplest relations between two secrets is functional dependence, which 
we denote by a > b. This means that the value of secret a reveals the value of 
secret b. This relation is reflexive and transitive. A more general and less trivial 
form of functional dependence is functional dependence between sets of secrets. 
If A and B are two sets of secrets, then A t> B means that, together, the values 
of all secrets in A reveal the values of all secrets in B. Armstrong [1] presented 
the following sound and complete axiomatization of this relation: 

1. Reflexivity: A > B, if A D B, 

2. Augmentation: A\>B^A,C\>B,C, 

3. Transitivity: A\> B -> (B > C -> A> C), 



where here and everywhere below A, B denotes the union of sets A and B. The 
above axioms are known in database literature as Armstrong's axioms [2, p. 81]. 
Bceri, Fagin, and Howard [3] suggested a variation of Armstrong's axioms that 
describe properties of multi-valued dependency. 

Not all dependencies between two secrets are functional. For example, if se- 
cret a is a pair (x, y) and secret b is a pair (y, z) , then there is an interdependency 
between these secrets in the sense that not every value of secret a is compatible 
with every value of secret b. However, neither a > b nor b > a is necessarily true. 
If there is no interdependency between two secrets, then we will say that the two 
secrets are independent. In other words, secrets a and b are independent if any 
possible value of secret a is compatible with any possible value of secret b. We 
denote this relation between two secrets by a | b. This relation was introduced by 
Sutherland [4] and is also known as nondeducibility in the study of information 
flow. Halpern and O'Neill [5] proposed a closely related notion called /-secrecy. 

Like functional dependence, independence also can be generalized to relate 
two sets of secrets. If A and B are two such sets, then A \\ B means that any con- 
sistent combination of values of the secrets in A is compatible with any consistent 
combination of values of the secrets in B. Note that "consistent combination" 
is an important condition here, since some interdependency may exist between 
secrets in set A even while the entire set of secrets A is independent from the 
secrets in set B. A sound and complete axiomatization of this independence 
relation between sets was given by More and Naumov [6]: 

1. Empty Set: || A, 

2. Monotonicity: A, B \\ C -> A \\ C, 

3. Symmetry: A \\ B ->• B \\ A, 

4. Public Knowledge: A \\ A -> (B \\ C -> A, B \\ C), 

5. Exchange: A, B \\ C -+ {A \\ B ->• A \\ B, C). 

The assumption A \\ Am the Public Knowledge axiom guarantees that each 
secret in the set A has a fixed value and, thus, is "public knowledge" . Details 
can be found in the original work [6]. Essentially the same axioms were shown 
by Geiger, Paz, and Pearl [7] to provide a complete axiomatization of the inde- 
pendence relation between sets of random variables in probability theory. 

A complete logical system that combines the independence and functional 
dependence predicates for single secrets was described by Kelvey, More, Naumov, 
and Sapp [8]: 

1. Reflexivity: a > a, 

2. Transitivity: a\> b — > (6 t> c — > a > c), 

3. Symmetry: a \\ b — > b \\ a, 

4. Universal Independence: a \\ a — >• a \\ b, 

5. Universal Dependence: a \\ a — > b > a, 

6. Substitution: a \\ b — > (b \> c — > a \\ c), 

where a, b and c, unlike A, B and C above, stand for single secrets, not sets of 
secrets. 



1.2 Secrets in Collaboration Networks 

So far, we have assumed that the values of secrets are determined a priori. In 
the physical world, however, secret values are often generated, or at least dis- 
seminated, via interaction between several parties. Quite often such interaction 
happens over a fixed network. For example, in social networks, interaction be- 
tween nodes happens along connections formed by friendship, kinship, financial 
relationship, etc. In distributed computer systems, interaction happens over com- 
puter networks. Exchange of genetic information happens along the edges of the 
genealogical tree. Corporate secrets normally flow over an organization chart. 
In cryptographic protocols, it is often assumed that values are transmitted over 
well-defined channels. On social networking websites, information is shared be- 
tween "friends" . Messages between objects on an UML interaction diagram are 
sent along connections defined by associations between the classes of the objects. 

We attempt to capture this type of information flow over a graph by the 
notion of a collaboration network. Such a network consists of several parties 
connected by communication channels that form a network with a fixed topology. 
A pair of parties connected by a channel uses this channel to establish a secret. If 
the pairs of parties establish their secrets completely independently from other 
pairs, then possession of one or several of these secrets reveals no information 
about the other secrets. Assume, however, that secrets are not picked completely 
independently Instead, each party with access to multiple channels may enforce 
some desired interdcpcndcncy between the secrets it shares with other parties. 
These "local" interdependencies between secrets known to a single party may 
result in a "global" interdependency between several secrets, not all of which 
are known to any single party. Given the fixed topology of the collaboration 
network, we study what global interdependencies between secrets may exist in 
the system. 




Fig. 1. Collaboration network Ni. 



Consider, for example, the collaboration network Ni depicted in Figure 1. 
Suppose that the parties collaborate according to the following protocol. Party 
P picks a random value a from {0, 1} and sends it to party Q. Party Q picks 
values b and c from {0, 1} in such a way that a = b + c mod 2 and sends both 
of these values to R. Party R computes d = b + c mod 2 and sends value d to 
party S. In this protocol, it is clear that the values of a and d will always match. 
Hence, for this specific protocol, we can say that a \> d, but at the same time 
a II b and a \\ c. 



Note that in the above example, all channels transmit secret messages in 
one direction and, thus, the channel network forms a directed graph. However, 
in the more general setting, two parties might establish the value of a secret 
through a dialog over their communication channel, with messages traveling in 
both directions. Thus, in general, we will not assume any specific direction on a 
channel. 

1.3 Data Streams and Collaboration Networks 

In this section, we will consider a more sophisticated example of collaboration 
network from network coding theory. 



Network coding studies methods of attaining maximum information flow in a 
network where channels have limited throughput. A standard example of network 
coding is given in terms of the butterfly network [9] depicted in Figure 2 as N 2 . 
Suppose that parties P and Q generate streams of 1-bit messages 01,02,... 
and b\, 6 2 ,..., respectively with rate one message per second. They need to 
transmit both sequences of messages to both S and T using only the available 
communication channels. Each channel's throughput is one bit per second. Note 
that any protocol over N2 that attempts to independently transmit streams of 
messages {oj}j and {bi}i will fail due to the limited combined capacity of the 
three channels connecting parties P, Q, and R, with parties S, T, and U. 

The desired result, however, can be easily achieved by a "network coding" 
protocol that combines the two streams. Under this protocol, at time 1, party 
P transmits bit 01 to both S and R. At the same time, party Q transmits bit 
61 to both T and R. At time 2, party R already possesses bits ai and bi, so can 
compute the bit ai + bi mod 2 and send it to U. At time 3, party U forwards 
this bit to S and T. Note that party S received bit a\ directly from party P, 
and after receiving ai +61 mod 2 from U one second later, S can reconstruct the 
value of 61, since 




Fig. 2. Butterfly network N 2 . 



ai + (oi + bi) = b\ (mod 2). 



Similarly, party T receives 61 directly from Q, and can reconstruct the Boolean 
value a\ after receiving the sum from U. For each time i > 1, the propagation 
of bits (Xj and bi is carried out in a similar fashion. 

The coding protocol described above can be viewed as a protocol over a col- 
laboration network if the whole stream of messages sent over a single channel 
in the coding network is interpreted as a single message in the collaboration 
network. The computation rules of the coding protocol are viewed as the lo- 
cal conditions of the collaboration network. For example, if the notation ttixy 
denotes the entire secret value shared between parties X and Y, and [mxY]i 
denotes its i-th bit, then, for example, the local condition at party R can be 
described as 

Mi > 1 ([m R u]i+i = [m PR ]i + [m QR ]i (mod 2)) . 
The desired properties of the protocol can be stated in our notation as 

m PS , m us > m QR , m PR 

and 

mQT, m UT > m QR , m PR . 

Other network protocols that deal with data streams, such as, for example, the 
alternating bit protocol [10], can similarly be interpreted in terms of collabora- 
tion networks. 

1.4 Network Topology 

The independence and functional dependence examples we have given so far 
are for a single protocol, subject to a particular set of local intcrdcpcndencies 
between secrets. If the topology remains fixed, but the protocol is changed, then 
secrets which were previously functionally dependent may no longer be so, and 
vice versa. For example, for network Ni above, the claim a > d will no longer 
be true if, say, party R switches from enforcing the local condition d = b + c 
mod 2 to enforcing the local condition d = b. In this paper, we study properties 
of relations between secrets that follow from the topological structure of the 
network of channels, no matter which specific protocol is used, as long as it is 
specified in terms of interdependencies between adjacent channels. Examples of 
such properties for network Ni are (a D> d) — » (6, c D> d) and (a \\ b, c) — >• (a \\ d). 

In an earlier work [11], we gave a complete axiomatic system for the indepen- 
dence relation between single secrets over a collaboration network. In fact, we 
axiomatized a slightly more general relation a\ \\ 0,2 || • • • || a n between multiple 
single secrets. One can also consider collaboration networks in which a secret 
is known to any arbitrary subset of parties, rather than a pair of parties. In 
a recent paper [12], we generalized the earlier independence results [11] to this 
"hypergraph" setting. 

In this article, we turn our attention to functional dependence in (non- 
hypergraph) collaboration networks. Here, we present a sound and complete 



logical system that describes the properties of the functional dependence relation 
A\>B between sets of secrets over any fixed network topology N. This system in- 
cludes Armstrong's Reflexivity, Augmentation, and Transitivity axioms. To these, 
we add a Gateway axiom. The above-mentioned statement (a > d) — > (b, c\> d) 
is an instance of this new axiom for network N\ . We prove additional statements 
about different collaboration networks in Section 5. 

From the point of view of verification of a specific protocol, the logical calculus 
introduced in this paper allows us to separate arguments about properties of the 
protocol itself from the topological properties of the underlying network. For 
example, since (a > d) — > (b, c > d) is a property of network Ni, if the designers 
of a particular cryptographic protocol over Ni can guarantee that the value of 
d can not be reconstructed from the values of b and c, then using the axioms of 
our logical system, one can prove that the value of d is not revealed by the value 
of a for the same protocol. 

2 Formal Setting 

Throughout this paper, we assume a fixed infinite alphabet of variables a, b, ... , 
which we refer to as "secret variables" . By a network topology, we mean a finite 
graph whose edges, or "channels" , are labeled by secret variables. We allow loop 
edges and multiple edges between the same pair of parties. The set of all channels 
of network N will be denoted by Ch(N). One channel may have (finitely) many 
labels, but the same label can be assigned to only one channel. Given this, we 
will informally refer to "the channel labeled with a" as simply "channel a" . 

Definition 1. A semi-protocol over a network N is a pair (V,L) such that 

1. V(c) is an arbitrary set of "values" for each channel c <E Ch{N), 

2. L = {L p } pe p is a family of predicates, indexed by set P of all parties of 
the network N , which we call "local conditions" . If Ci, . . . Cfe is the list of all 
channels incident with party p, then L p is a predicate on V{c\) x • • • x V(ck). 

Definition 2. A run of a semi-protocol (V,L) is a function r such that 

1. r(c) G V(c) for any channel c € Ch{N), 

2. If Ci , . . . Cfe is the list of all channels incident with a party p € P , then 
predicate L p {r{c\), . . . , r(cfe)) is true. 

Definition 3. A protocol is any semi-protocol that has at least one run. 

The set of all runs of a protocol V is denoted by TZ(V). 

Definition 4. A protocol V = (V, L) is called finite if the set V(c) is finite for 
every c € Ch{N). 

We conclude this section with the key definition of this paper. It is the defi- 
nition of functional dependence between sets of channels. 



Definition 5. A set of channels A = {a\, . . . , a n } functionally determines a set 
of channels B = {bi, . . . , b k }, with respect to a fixed protocol V, if 



We find it convenient to use the notation / =x g if functions / and g are 
equal on every argument from set X. Using this notation, we can say that a set 
of channels A functionally determines a set of channels B if 



3 Language of Secrets 

By <&(N), we denote the set of all properties of secrets in collaboration network 
N definable through the predicate A > B. More formally, #(iV) is a minimal 
set of formulas defined recursively as follows: (i) for any two finite sets of secret 
variables (labels of channels in network N) A and B, formula A > B is in <P(N), 
(ii) the false constant _L is in set <P(N), and (iii) for any formulas <fi and tp € 
&(N), the implication — > -0 is in <P(N). As usual, we assume that conjunction, 
disjunction, and negation are defined through — > and _L. 

Next, wc define a relation 1= between a protocol and a formula from <P(N). 
Informally, V 1= <fi means that formula 4> is true under protocol V . 

Definition 6. For any protocol V over a network N, and any formula <f> € 
<&(N), we define the relation V \= <j) recursively as follows: 



2. V 1= A > B if the set of channels A functionally determines set of channels 
B under protocol V , 

3. V N 0i fa if V ¥ (f>i orV\= <p 2 - 

In this paper, we study the formulas <f> € &(N) that are true under any protocol 
V over fixed network N. Below we describe a formal logical system for such 
formulas. This system, like earlier systems defined by Armstrong [1], More and 
Naumov [13, 11, 12] and by Kelvey, More, Naumov, and Sapp [8], belongs to the 
set of deductive systems that capture properties of secrets. In general, we refer 
to such systems as logics of secrets. Since this paper is focused on only one such 
system, here we call it the Logic of Secrets. Before stating the axioms of the 
Logic of Secrets, we need one more technical definition. 

By a path in a network, we mean any undirected path in the graph formed 
by the channels of the network. We say that a set of channels G is a gateway 
between sets of channels A and B if any path from A to B goes through G. We 
state this more formally below: 



Vr,r' e TZ(V) f\ r(a,) = /(a,) -+ f\ r(bj) = r'(b 3 ) 





Vr,r' e K(P) (r = A r' -> r = B r'). 



1. VP _L, 



Definition 7. Let A, B, and G be any three sets of channels in Ch(N). Set G 
is a gateway between sets A and B if for any path (ci, . . . , c„) in network N, 



Note that in the above definition sets A, B, and G are not necessarily disjoint. 
Thus, for example, for any set A C Ch(N), set A is a gateway between A and 
itself. Also, note that the empty set is a gateway between any two components 
of the network that are not connected to one another. 

4 Axioms 

For a fixed collaboration network TV, the Logic of Secrets, in addition to prepo- 
sitional tautologies and the Modus Ponens inference rule, contains the following 
axioms: 

1. Reflexivity: A > B, if A D B, 

2. Augmentation: A> B -> A,C D> B,C, 

3. Transitivity: A\> B -> (B t> C -> A > C), 

4. Gateway : A t> £> — > G > B, if G is a gateway between sets ^4 and 5 in 
network N. 

Recall that the first three of these axioms were introduced by Armstong [1], 
and they are known in database theory as Armstrong's axioms [2, p. 81]. The 
soundness of all four axioms will be shown in Section 6. 

We use the notation Ihjy $ to state that formula is derivable from the 
set of formulas X in the Logic of Secrets for network N. 

5 Examples of Proofs 

We will give three examples of proofs in the Logic of Secrets. Our first example 
refers to square collaboration network N 3 depicted in Figure 3. 




(1) 



l<i<n 
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Fig. 3. Network N 3 . 



Proposition 1. hjv 3 (a > c) A (b > d) -> (a > d) A (b > c). 



Proof. Due to the symmetry of the network, it is sufficient to show that (a > 
c) A (b > d) — > a > e?. Note that {a, c} is a gateway between sets {b} and {d}. 
Thus, by the Gateway axiom, b\>d implies (a, c> d). On the other hand, by the 
Augmentation axiom, the assumption a\>c yields (a > a,c). By the Transitivity 
axiom, (a > a, c) and (a, c > d) imply a\> d. □ 

For the second example, consider the linear network N4 shown in Figure 4. 




Fig. 4. Network N 4 . 



Proposition 2. hjv 4 (a > e?) A (e > c) — > b > c. 

Proof. We begin with the assumption that e > c. Since {d} is a gateway between 
sets {e} and {c}, by the Gateway axiom, dt> c. Next, using the assumption that 
at> d, the Transitivity axiom yields a\>c. Finally, we note that {b} is a gateway 
between {a} and {c}, and apply the Gateway axiom once again to conclude that 
b> c. □ 

Note that the second hypothesis in the example above is significant. Indeed, 
imagine a protocol on N4 where V(d) = {0}, the set of values allowed on all other 
channels is {0, 1}, and the local condition at each party p is simply L p = true. 
In this protocol, a > d since the value of a on any run clearly determines the 
(constant) value of d. However, the value of b is of no help in determining the 
value of c, so the conclusion b D> c does not hold. 




Fig. 5. Network N 4 . 



As our final example, we prove a property of hexagonal collaboration network 
^5 shown in Figure 5. 

Propositions. hjv 5 «2 > a 3 ) A (a 2 , a 3 > ai) A (a 3 , ai > a 2 ) -> 61, b 2 , b 3 > 
ai,a 2 ,a 3 . 



Proof. Note that {61, 63} is a gateway between sets {02, 03} and {a\}. Thus, by 
the Gateway axiom, (02,03 > di) — >■ (61,63 > (Xi). Hence, by the assumption, 
(a 2 , a 3 > ai), we have that (61, 63 > <Zi). Similarly one can show that (61, 6 2 > a 2 ) 
and (62, 63 > 03) using the assumptions (03, a\ D> 02) and (ai, 02 > 03). 

Consider statements (61,63 D> 01) and (61,62 > a 2 ). By the Augmentation 
axiom, they, respectively, imply that (61, 62, 63001, 61, 62) and (ai, 61, &2>ai,a2)- 
Thus, by the Transitivity axiom, (61, 62, 63 > ai, a 2 ). 

Now consider (61, 62, 63 D> ai, a 2 ) and statement (62, 63 > 03), established ear- 
lier. By the Augmentation axiom, they, respectively, imply that (61,62,63 > 
01,02,62,63) and (01,02,62,63 > 01,02,03). Thus, by the Transitivity axiom, 
(61,62,63 > 01,02,03). □ 



6 Soundness 

In this section, we demonstrate the soundness of each of the four axioms in the 
Logic of Secrets. 

Theorem 1 (Reflexivity). V 1= A > B, for any protocol V and any B C A. 

Proof. Consider any two runs r,r' € 1Z(P) such that r =a r'. Thus r =b r' for 
any B C A. □ 

Theorem 2 (Augmentation). "P ' 1= A\> B — > A, C ' > S , C /or 077,7/ protocol V 
and any sets of channels A, B, and C. 

Proof. Assume V \= As> B and consider any two runs r,r' e /Y("P) such that 
r =A,c r> ■ By our assumption, r =b r'. Therefore, r =b,c r> ■ □ 

Theorem 3 (Transitivity). P 1= A > B -> (B t> C -> A D> C), for any protocol 
V and any sets of channels A, B, and C. 

Proof. Assume V 1= A t> B and V 1= B > C. Consider any two runs r, r' e TZ(V) 
such that r =,4 r'. By the first assumption, r =b r' . By the second assumption, 
r =c r'. □ 

Theorem 4 (Gateway). 'PI= J 4[>£>^G[>£?, for any protocol V and any 
gateway G between sets A and B. 

Proof. Assume V 1= A\> B and consider any two runs n, r 2 € /Y("P) such that 
n =g ^2- We will show that n =_b ^2- Consider the network JV' obtained by 
removing from N all channels in set G. By the definition of a gateway, no single 
connected component of network N' can contain channels from set A \ G and 
set B \ G at the same time. Let us divide all connected components of N' into 
two subgraphs N' A and N' B such that N' A contains no channels from B\G and 
N' B contains no channels from A \ G. Components that do not contain channels 
from either A \ G or B \ G can be arbitrarily assigned to either N' A or N' B . 



Next, define a function r on each c <E Ch(N) as follows: 



fri(c) ifceA^, 
r(c) = < ri(c) = r 2 (c) if c e G, 
U 2 (c) ifce^. 

We will prove that r is a run of protocol V. We need to show that r satisfies 
the local conditions of protocol V at each party p. The connected component of 
N' containing a party p either belongs to N' A or N' B . Without loss of generality, 
assume that it belongs to N' A . Thus, Inc(p), the set of all channels in N incident 
with party p, is a subset of Ch(N' A )UG. Hence, r =i nc (p) r i- Therefore, r satisfies 
the local condition at party p simply because n does. 

By the definition of r, we have r =a T\ and r =b ?*2- Together, the first of 
these statements and the assumption that V 1= A > B imply that r =b r\. Thus, 
due to the second statement, r\ =b r =b r 2 . □ 

7 Completeness 

In this section, we demonstrate that the Logic of Secrets is complete with respect 
to the semantics defined above. To do so, we first describe the construction of a 
protocol called V , which is implicitly parameterized by a collaboration network 
N and a set X of formulas in <P(N). 

7.1 Protocol V 

Throughout this section, we will assume that N is a fixed collaboration network, 
and X C cp(N) is a fixed set of formulas. 

Definition 8. For any A C Ch(N), we define A* to be the set of all channels 
c e Ch(N) such that X \- N A\> c. 

Theorem 5. A C A*, for any A C Ch(N). 

Proof. Let a e A. By the Reflexivity axiom, \- N A > a. Hence, a e A* . □ 
Theorem 6. X \- N A t> A*, for any A C Ch(N). 

Proof. Let A* — {ai, . . . , a n }. By the definition of A*, X hjy A > aj, for any 
i < n. We will prove, by induction on fc, that X h w (A > a l7 . . . , a^) for any 
< fc < n. 

Base Case: X h^r A > by the Reflexivity axiom. 

Induction Step: Assume that X h^v (-4 > oi,...,afe). By the Augmentation 
axiom, 

X hjv A, dk+i > oi, • • • , (Xfe, etfc+i- (2) 

Recall that X A > afe+i. Again by the Augmentation axiom, I h« (A > 
A, afe+i). Hence, I hjv (A> ai, . . . , a^, ak+i), by (2) and the Transitivity axiom. 

□ 



We now proceed to define our protocol Vo- We will first specify the set of 
values V(c) for each channel c € Ch(N). In this construction, the value of each 
channel c on a particular run will be a function from the set 2 chi - N ) into the set 
{0, 1}. Thus, for any c G Ch(N) and any E C Ch(N), we have r{c){E) e {0, 1}. 
We will find it more convenient, however, to think about r as a two- argument 
Boolean function, where r(c,E) <G {0, 1}. 

Furthermore, we will not allow the value of a channel on a particular run to 
be just any function from the set 2 ch ^ N ^ into {0, 1}. Instead, for any channel c, 
we will restrict set V(c) so that, for any run r, if c e E* , then r(c,E) = 0. 

To complete the description of protocol Vo, we will specify the local condi- 
tions for each party in the network. At each party p, we define the local condition 
Lp as 

VE C Ch(N) Vc, d e (Inc(p) \ E*) (r(c, E) = r{d, E)) . 

That is, when two channels are incident with a party p and neither channel is in 
E* , the values of the functions assigned to those channels on argument E must 
match on any given run. 

To show that Vo is indeed a protocol, we only need to show that it has at 
least one run. Indeed, the constant function r(c, E) = trivially satisfies the 
local condition at every party p. 

Now that the definition of protocol Vo is complete, we make the following 
two claims about its relationship to the given set of formulas X. 

Theorem 7. IfV \= A > B, then X \- N A> B. 

Proof. Assume Vo 1= A > B and consider two specific runs of Vo- The first of 
these two runs will be the constant run ri(c, E) = 0. The second run is defined 

as 

, f 1 if c i A* and E = A, 

= (oif cl A* or E + A. ^ 

To show that r 2 satisfies the local condition at a party p, consider any E C 
Ch(N) and any c, d e Inc{p) \ E* . If E ^ A, then r 2 (c,E) = = r 2 (d,E). If 
E = A, then, since c, d € Inc(p) \E*, we have c,d ^ A*. Thus, r 2 (c, _E) = 1 = 
r 2 (rf, S). Therefore, r 2 is a run of protocol Vo- 

Notice that by Theorem 5, A C A*. Thus, by equality (3), r 2 (a,E) = for 
any a € A and any £7 C Ch(N). Hence, r\(a, E) = = r 2 (a, E 1 ) for any a ^ A 
and £ C Ch(N). Thus, by the assumption that Vo 1= ^4 1> -B, we have ri(6, £) = 
r 2 {b,E) for any 6 e B and _B C Ch(N). In particular, n(6, A) = r 2 {b,A) for 
any b £ B. Since, by definition, r\(b, A) = 0, we get r 2 (b, A) = for any b £ B. 
By the definition of r 2 , this means that £? C A*. By the Rcflexivity axiom, 

A* > i3. By Theorem 6 and the Transitivity axiom, X A > B. □ 

Theorem 8. I/Ihjv4[>B, then V \= A> B. 

Proof. Assume that X A\> B, but Vo ^ A\> B. Thus, there are runs r\ and 
r 2 of Vo such that r\(a, E) = r 2 (a, E) for any a e A and any C Ch(N), but 
there is b Q e B and i? Q Ch(N) such that 



ri(bo,E ) ^ r 2 (bo,E ). 



(4) 



First, assume that network N', obtained from N by the removal of all channels 
in set Eq, contains a path it connecting channel 60 with a channel Oq € A. Thus, 
this case implicitly assumes that b ,a Eq. Let functions fa and fa on the 
channels of network N be defined as /i(c) = r\(c, E ) and /2(c) = r 2 (c, Eq). Due 
to the local conditions of protocol Vo, all channels along path it must have the 
same value of function fa. The same is also true about function fa. Therefore, 
n(b ,E ) = fa(b ) = /i(oo) = n(ao,E ) = r 2 (a ,E ) = fa(a ) = fa(b ) = 
r 2 (b ,E ). This is a contradiction with statement (4). 

Next, suppose that there is no path in N' connecting bo with a channel in A. 
Thus, set Eq is a gateway between sets A and {bo}- By the Gateway axiom, 

hjv As> b -> £^ > 60 ■ (5) 

By the Reflexivity axiom, hjy B$>bo- Recall the assumption X A\> B. Thus, 
by the Transitivity axiom, X \- N As>b a . Taking into account (5), X \- N Eq t>b a . 
By Theorem 6, h Eq >Eq. Hence, again by Transitivity, X \~n E \>b . Thus, by 
Definition 8, bo £ Eq. Hence, by the definition of protocol Vo, r(b , Eq) has value 
for any run r. Therefore, ri(6 ,^o) = = r 2 (b 07 Eo). This is a contradiction 
with statement (4). □ 

7.2 Main Result 

Now, we are ready to finish the proof of completeness. 

Theorem 9. I/^n 0; then there is a finite protocol V such that V ¥ (p. 

Proof. Assume Fjy <P- Let X be a maximal consistent set of formulas such that 
^4> G X. Consider the finite protocol Vo parameterized by network N and set of 
formulas X. We will show that for any formula ip, X hjy tp if & n d only if Vo 1= ip 
by induction on the structural complexity of formula ip. The base case follows 
from Theorems 7 and 8. The induction case follows from the maximality and 
consistency of set X. To finish the proof of the theorem, select ip to be -«f>. □ 

Corollary 1. Binary relation hjy <P « s decidable. 

Proof. This statement follows from the completeness of the Logic of Secrets with 
respect to finite protocols and the recursive enumerability of all theorems in the 
logic. □ 



8 Conclusion 

We have presented a complete axiomatization of the properties of the functional 
dependence relation over secrets on collaboration networks. In light of previous 
results capturing properties of the independence relation in the same setting [11], 
it would be interesting to describe properties that connect these two predicates 
on collaboration networks. 

An example of such a property for the network Nq in Figure 6 is given in the 
following theorem. 



Fig. 6. Network N 6 . 



Theorem 10. For any protocol V over network N 6 , 



V 1= (a, b > c) A (a || b) -> 6 > c. 



Proof. For any two runs ri,r 2 € 1Z(V) where ri(6) = r 2 (&), we must show that 
r 1 (c) = r 2 (c). The assumption a || b guarantees that values ri(a) and r 2 (b) 
coexist in some run in 1Z(P); call this run r 3 . Thus, we have r 3 (a) = r\(a) and 



Next, we create a new function r 4 which "glues" together runs r 3 and r 2 at 
party Q. Formally, we define r 4 as 



We claim that function r 4 satisfies the local conditions of protocol V, since 
at each party in N 5 , it behaves locally like an existing run. Indeed, at party 
P, r 4 matches run r 3 , and at parties R and 5, r 4 matches run r 2 . At party Q, 
r4 matches r 2 exactly, since r±(b) = r^Q)). Thus, r 4 € 1Z(V). To complete the 
proof, we note that r\(a) = r 3 (a) = r 4 (a) and r\{b) = r 2 (6) = Ti(b). By the 
assumption that (a, b > c), we have ri(c) = r±(c). The definition of r 4 is such 
that r 4 (c) = r 2 (c), so ri(c) = r 2 (c), as desired. □ 

A complete axiomatization of properties that connect the functional depen- 
dence relation and the independence relation between secrets on a collaboration 
network remains an open problem. 
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